Detections
Analytics
4.15 Ensure AWS Organizations changes are monitored
Information
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms.It is recommended that a metric filter and alarm be established for changes made to AWS Organizations in the master AWS account.
CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail logs can also be sent to an external Security Information and Event Management (SIEM) environment for monitoring and alerting.
Monitoring AWS Organizations changes can help you prevent unwanted, accidental, or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps ensure that any unexpected changes made within your AWS Organizations can be investigated and that any unwanted changes can be rolled back.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
If you are using CloudTrail trails and CloudWatch, perform the following steps to set up the metric filter, alarm, SNS topic, and subscription:-
Create a metric filter based on the provided filter pattern that checks for AWS Organizations changes and uses the <trail-log-group-name> taken from audit step 1:
aws logs put-metric-filter --log-group-name <trail-log-group-name> --filter-name <organizations-changes> --metric-transformations metricName=<organizations-changes>,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") || ($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") || ($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") || ($.eventName = "EnablePolicyType") || ($.eventName = "InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") || ($.eventName = "UpdateOrganizationalUnit")) }'
Note : You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
-
Create an SNS topic that the alarm will notify:
aws sns create-topic --name <sns-topic-name>
Note : You can execute this command once and then reuse the same topic for all monitoring alarms.
Note : Capture the TopicArn that is displayed when creating the SNS topic in step 2.
-
Create an SNS subscription for the topic created in step 2:
aws sns subscribe --topic-arn <sns-topic-arn> --protocol <sns-protocol> --notification-endpoint <sns-subscription-endpoints>
Note : You can execute this command once and then reuse the same subscription for all monitoring alarms.
-
Create an alarm that is associated with the CloudWatch Logs metric filter created in step 1 and the SNS topic created in step 2:
aws cloudwatch put-metric-alarm --alarm-name <organizations-changes> --metric-name <organizations-changes> --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns-topic-arn>
See Also
Item Details
Audit Name: CIS Amazon Web Services Foundations v4.0.1 L1
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7, 800-53|AU-7(1), 800-53|AU-12, CSCv7|6.2, CSCv7|6.3, CSCv7|14.6
Plugin: amazon_aws
Control ID: 618a2eeb9db441e261319e60d666686eb0885c299aa4559bf618a8a93b060954